Description
Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators could exploit this to upload unauthorized file types to the system. Version 9.2.0 contains a patch for the issue.
Published: 2026-02-27
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted upload of files leading to potential malicious content
Action: Patch
AI Analysis

Impact

This vulnerability in Kiteworks, prior to version 9.2.0, allows administrators to upload any file type without validation, enabling the placement of malicious or unauthorized files on the server. The lack of file‑type checks opens the possibility for attackers to introduce scripts or executables that could later be used for data exfiltration or further compromise if such files are accessed or executed on the system. The weakness is a classic uncontrolled file upload.

Affected Systems

Affected systems include Kiteworks, a private data network product, specifically versions earlier than 9.2.0 in the core file‑upload component. Administrators or users with elevated privileges can trigger the issue.

Risk and Exploitability

The CVSS score is 4.9, indicating a low to moderate impact, and the EPSS score of less than 1% signals that exploitation is unlikely to be widespread. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require administrative privileges on the Kiteworks instance; it does not appear to be remotely exploitable by external parties.

Generated by OpenCVE AI on April 16, 2026 at 15:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiteworks to version 9.2.0 or later to apply the vendor fix.
  • If upgrading is not immediately possible, restrict file upload capabilities to trusted users or disable the upload feature entirely until a patch can be applied.
  • Implement stricter file type validation in the application’s file handling settings to ensure only approved file types are accepted, following the CWE‑434 guidance on input validation.

Generated by OpenCVE AI on April 16, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Accellion
Accellion kiteworks
CPEs cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*
Vendors & Products Accellion
Accellion kiteworks

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks security-advisories
Vendors & Products Kiteworks
Kiteworks security-advisories

Fri, 27 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators could exploit this to upload unauthorized file types to the system. Version 9.2.0 contains a patch for the issue.
Title Kiteworks Core has an Unrestricted Upload of File with Dangerous Type
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Accellion Kiteworks
Kiteworks Security-advisories
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T20:27:18.932Z

Reserved: 2026-02-26T01:52:58.733Z

Link: CVE-2026-28270

cve-icon Vulnrichment

Updated: 2026-03-03T20:27:15.325Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T21:16:18.397

Modified: 2026-03-04T19:50:06.187

Link: CVE-2026-28270

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses